Application Security

This chapter describes the configuration settings that protect JasperReports Server and its users from unauthorized access. The configuration properties appear in two locations:

Some properties must be configured during the installation and deployment phase, before users access the server. These settings are configured through files used by the installation scripts. These settings are available only when performing a WAR file installation.
Other properties are located in files in various folders after installation. Configuration file paths are relative to the <js-install> directory, which is the root of your JasperReports Server installation. To change the configuration, edit these files then restart the server.

Because the locations of files described in this chapter vary with your application server, the paths specified in this chapter are relative to the deployed WAR file for the application. For example, the applicationContext.xml file is shown as residing in the WEB-INF folder; if you use the Tomcat application server bundled with the installer, the default path to this location is:

C:\Program Files\jasperreports-server-6.0\apache-tomcat\webapps\jasperserver-pro\WEB-INF

Use caution when editing the properties described in this chapter. Inadvertent changes may cause unexpected errors throughout JasperReports Server that may be difficult to troubleshoot. Before changing any files, back them up to a location outside of your JasperReports Server installation.

Do not modify settings that are not described in the documentation. Even though some settings may appear straightforward, values other than the default may not work properly and may cause errors.

This chapter contains the following sections:

Encrypting Passwords in Configuration Files
Configuring User Password Options
Configuring the User Session Timeout
Configuring CSRF Prevention
Configuring Input Validation
Restricting File Uploads
Hiding Stack Trace Messages
Defining a Cross-Domain Policy for Flash
Encrypting User Passwords
Encrypting User Session Login